Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)
IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 576
FIVE FACTOR AUTHENTICATION (5FA) FOR
SECURED LOGIN PROCESS WITH AES-256
ENCRYPTION IN WEB APPLICATIONS 1T.Ebanesar, 2 Dr.G.Suganthi, Ph.D
1Assistant Professor, Department of Computer Science, Malankara Catholic College, Mariagiri, Tamilnadu, India 2Associate Professor, Department of Computer Science, Women’s Christian College, Nagercoil, Tamilnadu, India
Abstract: In today’s internet world, all the web applications are used 2 factor authentication for their login process. It is fact that,
all the Internet applications still used the authentication method with text- based passwords. It was the existing method to protect
the unauthorized person to access or enter into the account. Today’s technology revolution, the hackers are supposed to be hacked
the account in 2FA security method.In 2FA method passwords are easy to steal or hack. In order to avoid this, we proposed a new
high level security authentication method is called 5FA- Five Factor Authentication. Research suggests that use of images may be
more effective in terms of security and ease of use for some application. This is because we, humans are easy to recognizing
images than remembering password. In this paper we describe new image based authentication system which can be used
independently. We implemented the above said system along with current authentication system (username and password) and
OTP. The main objective of this paper is to secure the login process and protect the personal or public data at maximum level. In
this paper we had implemented 5FA method in client-side encryption using AES-256.
Keywords – authentication, data protection, 2FA method, graphical image password, AES 256 Encryption, MFA method,
OTP
1. INTRODUCTION
Security is the main concern of Internet based web applications. Most of the login account these days uses a combination of
username and password for authentication. In fact, it is not secured one. Because of, the hackers are able to get the username and
password easily. A graphical password is easier than a plain-text based password. It is easy to remember. Graphical passwords use
images instead of text-based passwords. Almost all the Internet applications still used the authentication method with text based
passwords. Authentication to access a login account, accessing social media accounts, online ticket reservation for flight, train and
hotels are carried out by Alpha-numeric password or OTP. Authentication is the most important process to confirm that you are the
right user of the login account. Utilization of static passwords in login process leads to access the files of any user easily. Hackers,
ID thieves and fraudsters are easy to attack the login account and steal passwords so as to gain access the login accounts.
5FA method is the combination of alpha-numeric text password, OTP, graphical image, offline-signature and master key. The
above all 5 level security mechanisms are encrypted at client-side using AES-256. In client –side encryption technique, all the data
are encrypted at client side before storing the data in server. In fact, hackers are not able to get the user’s login data. Now sending
the client side encrypted string to the server means that you never know the actual data. In our project, we used similarity measure
algorithm for image matching.
A strong password with encryption is your first level of security to defense against online intruders and hackers. It is very
important to safe our personal accounts (e-mail, social media accounts). Unfortunately, if a hacker hacks or break the text –based
login account and OTP, third level of our security stopped everything.
2. EXISTING AUTHENTICATION METHOD
Authentication is the way to access the web applications with proper keys. Most of the web applications are using Two
Factor Authentication method. It is not secure for online transactions and log in process. Username and password are the most
commonly used mechanism for authentication because of simplicity and convenience. When you signed into any website or app,
you were probably asked to sign in using a username and password. The password you entered is considered a single-factor
authentication. One factor, your password and username, proved to the website that you are allowed to access the account.Two-
Factor Authentication, commonly referred to as 2FA, is a feature that adds an additional “factor” to your normal login procedure
to verify your identity. 2FA adds an extra layer of security by verifying your identity using OTP via SMS. A unique 4 digit one-
time password is generated and then sent to the registered user's phone number.All the social media websites such as facebook,
twitter and google+ and netbanking accounts are using 2FA method to access the account and online transaction. With this
method, online accounts and social media accounts may be hacked by cybercriminals. Most of the email service providers use
2FA method. Example gmail, AOL, fastmail, hushmail, yahoo, zimbra, zoho and protonmail.In the month of September 2018,
atleast 50 million facebook accounts were hacked [24]. Facebook login uses 2FA method. In the year 2013, YAHOO has
confirmed that cybercriminals were able to steal personal data – including name, address, and security questions – from all 3
billion Yahoo user accounts [25].Yahoo also uses 2FA method. Table 1 gives the information about the hacking of user accounts
in diferent websites used by 2FA method.
© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)
IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 577
Table 1: Hacking of user accounts in diferent websites used by 2FA method
Sl.No Website Name Authentication Used Year Total No. of User accounts hacked
1 www.yahoo.com 2FA 2013 3 billion
2 www.facebook.com 2FA 2018 50 million
Table 1 gives the information about the hacking of user accounts in diferent websites used by 2FA method.From the above
analysis, it is found that 2FA method is not a best method to secure user’s accounts.
3. PROPOSED AUTHENTICATION METHOD
When compared to existing method of text-based username and password, OTP sometimes hackers are to be broken the
same. To avoid this, we proposed Five-Factor Authentication (5FA) method .This method is a 5 different layer of security used
when logging into websites or web applications. In our project, all data are encrypted at client side .So that no data will be stolen by
hackers.The block diagram of proposed system is shown in fig 1.
Fig 1: Block diagram of proposed system
We will explain the steps involved during registration and login section using this proposed method.
3.1) Registration Process: The below diagram shows the registration phase of the 5FA method. In the registration phase, the
user enters all the personal information with graphical image and offline-signature. This graphical image and off-line signature is
used to confirm to check the user at the time of user log in. When user registers to web application, user selects a password with
the following constraints. A strong password should have a minimum of 8 alphanumeric characters and includes a mix of
uppercase letters, lowercase letters and numbers. Username and password are encrypted at client side using AES-256 encryption
method. Apart from selecting the password, user needs to select one image as a graphical password image. The image and off-line
signature are stored in database in the form of size. The registration phase process is shown in fig 2.
Fig 2: Registration Process
3.2) Login Process: In login process, we had implemented 5 different levels of security to protect the user’s data. Login process
uses 5FA method. In the year 2016, 3.3 billion login credentials were stolen. 9 out of 10 login attempts were fraudulent in
2016[26].To protects our data from cybercriminals, it is very essential to implement 5FA method. In this project, we used AES-
256 encryption to protect user’s login credentials at client-side technique.
The login process is as follows:
3.2.1) User name & Password (First Factor)
3.2.2) OTP (Second Factor)
3.2.3) Graphical Image or User’s Photo (Third Factor)
3.2.4) Offline-Signature (Forth Factor)
3.2.5) MasterKey (Fifth Factor)
© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)
IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 578
3.2.1) User name & Password
The most commonly used form of authentication today is password based wherein a user is prompted to enter his username and
password.A user logs into a website with a username and password.When the user enters into their account, a 5 digit alpha-
numeric characters are automatically generated in masterkey field in the database with AES-256 encryption.This masterkey will
be used as the fifth factor authentication of login process. The login process is shown in fig 3. It will be considered as the First
Factor Authentication.
3.2.2) OTP
One Time Password (OTP) service using Mobile Phone was first implemented in Japan, 2007.User can use this for better
security for online trasaction and web applications. A one-time password (OTP) is an automatically generated numeric or
alphanumeric string of characters that authenticates the user for a single transaction or session. This is used by many online
platforms to validate customer transactions and identity. A one time password as the word indicates is only valid for a specific
time interval or one-time usage. If the user credentials are valid, a 4 digit one time password is sent to your registered mobile
number through SMS and you are required to enter it when prompted.The OTP Verification process is shown in fig 4. It is the
Second Factor Authentication.If the session of OTP number expires, the user is able to receive a new OTP number when he or
she is using the option resend OTP.
3.2.3) Graphical Image or User’s Photo
If the OTP number is correct, the user is asked to load the image when he or she was stored at the time of sign up. We
used similarity measure algorithm for image matching. An improtant problem in image processing is the comparison of images.
The Verification of user’s Image or Photo process is shown in fig 5. It is the Third Factor Authentication.
3.2.4) Offline-Signature
After the image matches, user selects his signature for forth level of security. The Verification of user’s Offline-Signature
process is shown in fig 6. It is the Forth Factor Authentication.
3.2.5) MasterKey
After the Offline-Signature matches, the 5 digit alpha-numeric OTP code is sent to your registered mobile number through
SMS. This OTP is the MasterKey or MainKey to login the system. The MasterKey is generated using random algorithm by which
it is making unique for each and every time the user requests for login.This is the Fifth Factor Authentication. The Verification of
masterkey process is shown in fig 7.
4. Image Comparison Algorithm
In this project, we used image similarity measure algorithm for comparing two images. The simplest similarity measure
consists of directly comparing the pixel values of the two images, e.g. by means of the total pixels. When registering the account, it
is essential to store the image for security. This image is stored in the server and its size (total no. of bytes) is stored in the database.
When the user is login the system, system asks two images one by one from the registered database and user has to select the image
that were selected during registration time .The size of the image is stored in hiddenfield control.It is non-visual control in
ASP.NET where we can save the value.Now this value is matched with uploaded image. If two image sizes are equal, images are
same. The comparison of two images pseudocode is given in pseudocode 1.
if (dt.Rows.Count > 0)
{
HiddenField1.Value = dt.Rows[0]["sizephoto"].ToString();
System.Drawing.Image img = System.Drawing.Image.FromStream(fuimage.PostedFile.InputStream);
int height = img.Height;
int width = img.Width;
decimal size = Math.Round(((decimal)fuimage.PostedFile.ContentLength / (decimal)1024), 5);
Bitmap img1 = new Bitmap(img);
Bitmap img2 = new Bitmap(img);
decimal siz2 = Convert.ToDecimal(HiddenField1.Value);
if (size == siz2)
{
ClientScript.RegisterStartupScript(this.GetType(), "alert", "ShowPopup();", true);
Response.Redirect("VerifySignature.aspx");
}
else
{
ClientScript.RegisterStartupScript(this.GetType(), "alert", "ShowPopup();", true);
}
}
Pseudocode 1: Comparison of two images pseudocode
© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)
IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 579
Fig 3: Login Process – Username & Password (First Factor)
Fig 4: Login Process – Verify OTP (Second Factor)
Fig 5: Login Process – Verify Image or Photo (Third Factor)
Fig 6: Login Process – Verify your Signature (Fourth Factor)
Fig 7: Login Process – Verify MasterKey (Fifth Factor)
© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)
IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 580
5. FIVE-FACTOR AUTHENTICATION (5FA) METHOD
Five-factor authentication is the highest secured authentication mehod in IT field. Five-factor authentication, or 5FA, is a 5
different layer of security used when logging into websites or web applications. With 5FA, you have to log in with your username
and password and provide another form of authentication that only you know or have access to.This method is used to strenghen
the security by requring 5 method or levels (also called as factors) to verify your identity.These factors are something you know –
like a user name & password, OTP, graphical image or user’s photo, offline-signature and masterkey. There have been several
cases of stolen and hacked passwords in 2FA method. Web application with just simple username and password combinations
getting hacked is very easy. In this situation, implementing five factor authentications will prevent hackers from gaining access to
your accounts even if your password is stolen. The extra layers of protection that 5FA offers ensure that your account is more
secure. Five-factor authentication is the most reliable way to ensure the security of your users.
5FA protects against phising, social engineering & password brute-force attacks and password hacking. Five-Factor
authentication provides an extra layer of security and makes it harder for attackers to gain access to a person’s devices & online
applications.
6. AES-256 ENCRYPTION ALGORITHM
Advanced Encryption Standard (AES) is one of the most frequently used and secure encryption algorithm in IT industry.The
Advanced Encryption Standard or AES is also called Rijindael cipher. The AES encryption is a symmetric cipher and uses the
same key for encryption and decryption. It was developed by Vincent Rijmen and Joan Daemen in the year 1997.Later it was
approved as a federal encryption standard in USA 2002. AES supports 128 ,192 and 256 bit encryption, which can be determined
by the key size, 128-bit encryption key size is 16 bytes, 192-bit encryption key size is 24 bytes, 256-bit encryption key size is 32
bytes. It supports a block length of 128 bits and key lengths of 128, 192, and 256 bits. AES encryption offers good performance
and a good level of security. We implemented AES-256 bit encryption in our project. Because, it is a strong and secure cipher.It is
very difficult to access the content. In fact, it is not possible to read the original content. It is faster than the other encryption. As of
today, no practicable attack against AES exists. Therefore, AES remains the preferred encryption standard for governments, banks
and high security systems around the world.In AES-256 encryption, there are 14 rounds for 256-bit keys. A round is comprised of a
few preparing steps that incorporate substitution, shift rows and mixing of the input plain text and converts it into cipher text. The
flow chart of AES algorithm is shown in fig 8. The four steps that compose the standard round are:
• Substitute bytes: nonlinear procedure that uses the S-box to perform byte by byte of the data block.
• Shift rows: a simple transformation that uses permutation to shift the bytes within the data block in cyclic fashion.
• Mix columns: a simple transformation that uses arithmetic over 8 GF (28) to group 4-bytes together forming 4-term polynomial,
then multiplies the polynomials with a fixed polynomial 4*4 matrix.
• Add round key: bitwise XOR of the current block with a portion of the expanded key.
The encryption and the decryption structure of the AES algorithm with four steps are as shown in Fig. 8. The AES encryption
pseudocode is given in pseudocode 2.
Cipher (byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])
begin
byte state[4,Nb]
state = in
AddRoundKey(state, w)
for round = 1 step 1 to Nr-1
SubBytes(state)
ShiftRows(state)
MixColumns(state)
AddRoundKey(state, w+round*Nb)
end for
SubBytes(state)
ShiftRows(state)
AddRoundKey(state, w+Nr*Nb)
out = state
end
Pseudocode 2: AES encryption pseudocode
© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)
IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 581
Fig 8: Flow Chart of AES Algorithm
6.1 Compile time and Execution time
Compile time refers to the amount of time required for compilation.Type checking, register allocation, code generation,
and code optimization are typically done at compile time. Execution time refers to the amount of time required for execution of a
program.The AES-256 encryption program was compiled by the online compiler named as dotnetfiddle [19]. Table 2 gives the
information about the compile time and execution time of AES-256 program using C#.
Table 2: compile time and execution time of AES-256 program using C#
Sl.No Date & Time
(dd/mm/yyyy)
Compile Time
in seconds
Execution Time in
seconds
Memory in
kilo bytes
CPU in
seconds
1 11/03/2018,
5:18:39 pm
0.156 0 16 0
2 11/03/2018,
5:23:20 pm
0.156 0.016 16 0.031
3 11/03/2018,
5:24:37 pm
0.156 0.016 16 0.031
4 11/03/2018,
5:25:45 pm
0.156 0. 24 0
5 11/03/2018,
5:26:16 pm
0.156 0 16 0
6 11/03/2018,
5:26:48 pm
0.156 0 24 0
© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)
IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 582
Table 3: Comparision of RSA, DES, 3DES and AES [20]
It is found at least six times faster than triple DES. Column 5 in table 3 shows that AES encryption is the fastest and excellent
security method.
6.2) Client Side Encryption with Javascript
In our project we used client side encryption method to hide the data from all. By performing encryption at the client
side plain text information is never transmitted outside of the user’s environment. Client side encryption is performed locally
within our browser and the private key is never transmitted to the server. Client-side JavaScript has become ubiquitous in web
applications to improve user experience and reduce server load. User data is encrypted at the client level not on server or in the
cloud.The comparision of server side and client side encryption is shown in table 4.
Table 4: Comparision of server side and client side encryption
Sl. No Encryption
Deployed on
Owner of the
data
Who controls the
Encryption keys
Who can view & use the
data
1 Server Side User The Server provider User and he Server provider
2 Client Side User User User
From the above analysis of table 4, it is clear that client-side encryption significantly improves our overall data security
posture. You, the owner of the data is always in control and not cloud-based storage provider.
7. SYSTEM DESIGN
The system design of the proposed five factor authentication (5FA) method is shown in fig 9.
Factors RSA DES 3DES AES Developed by Ron Rivest, Adi
Shamir, and
Leonard
Adleman In
1978
IBM in 1975 IBM IN 1978 Vincent Rijmen, Joan Daemen in
2001
Key Length Depends on
number of bits
in the modulus n
where n=p*q
56 bits
168 bits (k1,
k2 and k3)
112 bits (k1
and k2)
128, 192, or 256 bits
Round(s) 1 16 48
10 - 128 bit key,12 - 192 bit key,14 -
256 bit key
Block Size Variable 64 bits 64 bits 128 bits
Cipher Type Asymmetric
Block Cipher
Symmetric Block
Cipher
Symmetric
Block Cipher Symmetric Block Cipher
Speed Slowest Slow Very Slow Fast
Security Least Secure Not Secure Enough
Adequate
Security Excellent Security
© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)
IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 583
Fig 9: The new system design of the proposed five factor authentication (5FA) method
8. IMPLEMENTATION AND EVALUATION
Implementation of algorithms has been done using ASP.NET with C#. Installation of Visual Studio 2010 and SQL server
2008 is necessary for our system.This paper was successfully completed with the implementation of Five-factor Authentication
method.
9. ADVANTAGES
If the proposed system is implemented in web applications then the advantages are (i) It improves data security with
highest level (ii) Since there are five level protections it will be defence in depth (iii) Cybercriminals cannot enter into the user
account (iv) All the user’s data will be encrypted before storing in the server (v) The world’s highest security AES-256 encryption
algorithm used.
10. RESULTS AND DISCUSSION
The result that we get after implementing the proposed 5FA method is given in Figure 10. We apply our project in PG
students of computer Sceince at the Malankara Catholic College computer lab and perform the login process with 25 students (10
male students and 15 female students) between ages of 20-23.We had succesfully verified and executed the project with 5FA
method using AES-256 encryption technique. The time taken to complete log in process is given in table 5.
© 2018 IJRAR July 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)
IJRAR1601009 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 584
Table 5: Time taken to complete log in process
Sl. No Gender Total no. of students Average Time(minutes)
1 Male 10 1.188
2 Female 15 1.251
Column 4 of table 5 shows that the average time to complete log in process are 1.188 and 1.251 for both male and female
students. When compared with 2FA method it takes much more time to complete log in process. But at a same time it is the most
secured login process.
11. CONCLUSION
Encryption algorithms play an important role in data security on cloud. Existing authentication methods are two level
security methods. 2FA method is not suitable for today’s technology world. It allows entering unauthorised person into the user’s
account. 5FA method improves security with 5 different levels of security.No hackers and cybercriminals will be accessed into
the user’s account. Five-factor authentication is a recommended best-practice for protecting sensitive data, and is sometimes
required by law when handling certain types of information. Graphical Based Image Authentication is more security than any
other authentication. It is impossible to hack the data and also to avoid the brute force attack.If you are looking to increase online
security, turn on Five-Factor Authentication method.It is the best and secured authentication method than any other method. 5FA
method can help protect you from a potentially devastating account breach.
REFERENCES
[1] https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/
[2] https://www.tutorialspoint.com/cryptogr aphy/cryptography_hash_functions.htm
[3] https://www.fidelissecurity.com/threatgeek/2018/05/github-cyber-danger-plain-sight
[4] https://www.turnon2fa.com/
[5] https://www.turnon2fa.com/about/
[6] https://www.turnon2fa.com/simple-online-safety-tips-cyber-security-awareness-month/
[7] https://motherboard.vice.com/en_us/article/bj8pvq/hackers-steal-6-million-user-accounts-for-cash-for-surveys-site
[8]https://www.csoonline.com/article/3236716/authentication/how-hackers-crack-passwords-and-why-you-cant-stop-them.html
[9] https://www.entrepreneur.com/article/246902
[10] https://keepersecurity.com/
[11] https://keepersecurity.com/business.html
[12] https://www.interserver.net/blog/
[13] https://www.adwebtech.com/two-factor-authentication/
[14] https://blog.dashlane.com/beginners-guide-to-2fa-and-u2f-to-secure-passwords/
[15] https://www.phonon.in/portal/2016/12/09/otp-generation-and-verification-solution/
[16] https://www.c-sharpcorner.com/article/introduction-to-aes-and-des-encryption-algorithms-in-net/
[17] https://nciphers.com/tutorial/aes/
[18] http://www.crypto-it.net/eng/symmetric/aes.html?tab=0
[19] https://dotnetfiddle.net/fr8zz9
[20] https://pdfs.semanticscholar.org/187d/26258dc57d794ce4badb094e64cf8d3f7d88.pdf
[21] https://www.garykessler.net/library/crypto.html#fig20
[22] https://www.ibr.cs.tu-bs.de/users/goltzsch/papers/eurosec2017-trustjs.pdf
[23]http://startuphyderabad.com/client-side-encryption-vital-privacy-business-confidentiality-third-party-untrusted-clouds/
[24] https://www.pcworld.com/article/3310040/security/facebook-account-breach-faq.html
[25] https://www.express.co.uk/life-style/science-technology/862255/Yahoo-Account-Hack-Change-Password-Check-Email
[26] https://info.shapesecurity.com/2017-Credential-Spill-Report.html
AUTHORS
T.Ebanesar MCA., M.Phil. B.Ed working as an Assistant Professor of Department of Computer Science, Malankara Catholic
College,Mariagiri,Tamilnadu ,INDIA from June 2008 to till date.Earlier I had worked as a Lecturer in N.M.S.S.Vellaichamy
Nadar College, Madurai from 2004 to 2008. His main research area focuses on Cloud Computing, Email Technologies, Artificial
Intelligence and Security in Computing. He has 13 years of experience in teaching.My personal website www.ebanesar.in
© 2018 IJRAR July 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)
IJRAR1601009 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 585
Dr.G.Suganthi M.Sc., M.Phil, B.Ed., PGDCA, Ph.D
She is working as an Associate Professor of Department of Computer Science, Women’s Christian Colege, Nagercoil, Tamilnadu,
INDIA from June 2008 to till date.
She is Guiding 6 Ph.D Scholars. She has presented 15 papers in national and international conferences and published 8 papers in
international journals. She has authored 2 books. She is serving as the IQAC Co-ordinator since 2012.She is the doctoral
committee member of St.Joseph′s College (Autonomous), Thiruchirapalli. She received two awards namely Shiksha Rattan
Pureskar in October 2012 at New Delhi and Best Citizen Award by International publishing house, New Delhi in February 2013.